MyCertStack logoMyCertStack

    AWS - Solutions Architect Associate Study Guide

    1: Design Secure Architectures

    This chapter covers the largest scoring domain of the SAA-C03 exam. You will learn how to design secure access using IAM, protect workloads with VPC architecture and AWS security services, and implement data security controls including encryption and key management. Mastering this domain is non-negotiable for passing the exam.

    Learning Objectives

    By the end of this chapter, you will be able to:

    • Design secure access to AWS resources using IAM users, groups, roles, policies, and federation
    • Apply AWS security best practices including least privilege, MFA, and multi-account strategies
    • Design secure workloads and applications using VPC architecture, security groups, network ACLs, and AWS security services
    • Determine network segmentation strategies and secure external connectivity options
    • Determine appropriate data security controls including encryption at rest and in transit, key management, and data lifecycle policies
    • Align AWS technologies to meet compliance, backup, and data protection requirements

    Executive Summary

    • AWS security follows the Shared Responsibility Model: AWS secures the infrastructure ("security OF the cloud"), and you secure your configurations, data, and access ("security IN the cloud"). Every exam question about "who is responsible" traces back to this line.
    • Identity in AWS is layered: the root user owns the account, IAM users and roles grant operational access, policies define permissions, and Organizations with SCPs constrain what entire accounts can do. Never use root for daily tasks.
    • Network security in AWS is defense-in-depth: VPCs provide isolation, subnets create segmentation, security groups filter at the instance level (stateful), and NACLs filter at the subnet level (stateless). Layering these correctly is the foundation of secure architecture.
    • Data protection requires encryption everywhere — at rest with KMS and in transit with TLS — combined with access policies, key rotation, backups, and lifecycle rules that satisfy both operational and compliance requirements.

    Assumptions

    • All examples reference the AWS global commercial regions. GovCloud and China regions have isolated IAM and identity partitions and are not covered unless stated.
    • IAM is a global service — IAM users, groups, roles, and policies are not tied to a specific Region.
    • "Console" refers to the AWS Management Console (the web UI). "CLI" refers to the AWS Command Line Interface.
    • DXA measurements of costs or performance are qualitative unless an official AWS number is cited.

    Sections in this chapter

    1. Free
    2. Free with account
    3. Free with account
    4. Free with account